Y2KCOUNT


NAME: Y2KCount 
        ALIAS: Polyglot, Count2K, Y2KCount Update from Microsoft 
        SIZE: 124885 
        Risk Assessment : MEDIUM 

        The Y2KCount trojan first appeared on September 15th, 1999. It came as a Y2KCount.EXE file attached to a message
        supposedly sent from Microsoft support. The message looked like that: 

             From: [email protected] Sender: [email protected] Subject: Microsoft Announcement Date: Wed, 15 Sep
             1999 00:49:57 +0200 


             To All Microsoft Users, 

             We are excited to announce Microsoft Year 2000 Counter. 

             Start the countdown NOW.
             Let us all get in the 21 Century.
             Let us lead the way to the future and we
             will get YOU there FASTER and SAFER. 

             Thank you, 

             Microsoft Corporation 

        The e-mail was definitely faked, but the trick worked and a number of users launched the attachment and became infected.
        The attachment - Y2KCount.EXE is a self-extracting ZIP archive that contains installation pack for the new Internet trojan.
        The archive has 5 files (PROJECT1.EXE and 4 DAT files) and the PROJECT1.EXE file serves as an installer for the trojan.
        When run the Y2KCount.EXE shows a fake error message. 

        This is a disguise. At the same time the trojan installs itself to system. It copies 4 files into \Windows\System\ directory:
        PROCLIB.EXE, PROCLIB.DLL, PROCLIB16.DLL, NTSVSRV.DLL. Then the SYSTEM.INI file is modified so that the trojan could
        be automatically started during next Windows bootup. The trojan adds 'ntsvsrv.dll' string after the list of drivers to start
        (after 'drivers=' tag). During next Windows startup the NTSVSRV.DLL gets control and renames WSOCK32.DLL to
        NLHVLD.DLL and copies PROCLIB16.DLL as WSOCK32.DLL. This will allow the trojan to monitor Internet activities on the
        infected system. 

        Being active the trojan checks Internet traffic for text strings 'login', 'password' and 'username'. This is done to get user's
        dial-up and network passwords. This action is typical for password stealing trojans, but the Y2KCount trojan might also
        function as a backdoor. The trojan works only under Windows 95 and 98. 

        The analysis of Y2KCount trojan is in progress. As soon as it is completed the description will be updated with new details
        and anti-virus database update will be provided on our ftp site. 

        If you are infected you can try to manually remove the trojan from your system. This should be done only from DOS. The
        following 4 trojan files should be deleted from \Windows\System folder: 

             PROCLIB.EXE
             PROCLIB.DLL
             PROCLIB16.DLL
             NTSVSRV.DLL


        The 'ntsvsrv.dll' string (trojan startup command) should be removed from SYSTEM.INI file. You can edit this file using EDIT
        comand at DOS prompt. The trojan execution string follows other drivers to be started after 'drivers=' tag (it should be the
        last in the list in case of recent infection). Finally the NLHVLD.DLL should be renamed to WSOCK32.DLL. This will restore
        Windows Sockets library renamed by the trojan. After that the system should be restarted for the changes to take effect. 

        [Analysis: Alexey Podrezov, Data Fellows]